Upcoming additions to the WebAssembly standard may render useless some of the mitigations put up at the browser level against Meltdown and Spectre attacks, according to John Bergbom, a security researcher at Forcepoint.
WebAssembly (WA or Wasm) is a new technology that
shipped last year and is currently supported within all major browsers, such as Chrome, Edge, Firefox, and Safari.
The technology is a compact binary language that a browser will convert into machine code and run it directly on the CPU.
Browser makers created WebAssembly to improve the speed of delivery and performance of JavaScript code, but as a side effect, they also created a way for developers to port code from other high-level languages (such as C, C++, and others) into Wasm, and then run it inside a browser.
All in all, the WebAssembly standard is viewed as a success in the web dev community, and there've been
praises for it all around.
WebAssembly is not immune to abuse
But like all technologies, it also came with some unforeseen side effects and cases of abuse. For starters, the rise of in-browser cryptocurrency miners (cryptojacking scripts) can be traced precisely to the addition of WebAssembly inside major browsers, as all in-browser miners run on top of WebAssembly, and not pure JavaScript.
Now, a Forcepoint researcher argues there could be another unintended side effect of WebAssembly for web users.
... ....
New Apple CPU side-channel attacks steal data from browsers
